The Jamf Log Stream is a feature available only to customers of the Jamf Cloud Premium offering. The Jamf Log Stream makes data from the Change Management and Access logs available for consumption via Splunk, Amazon S3 or an HTTPS endpoint. Additional information regarding the configuration of your endpoint to receive these log files can be found here.
To assist third parties with ingesting information provided by Jamf, this article provides sample data, as well as general formatting of data provided in these logs.
The Access Log tracks login attempts to Jamf Pro, including the date, username, IP address and entry point. Below you can find a snippet pulled directly from the Access Log to demonstrate the format of the data.
2021-09-09T08:44:00,679: username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=Universal API 2021-09-09T08:44:01,121: username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=JSS 2021-09-09T11:56:01,012: username=jssadmin, status=Successful Login, ipAddress=10.1.1.1, entryPoint=JSS (API) 2021-09-28T13:51:35,768: username=sampleUser, status=Failed Login, ipAddress=10.1.1.1, entryPoint=JSS
It is worth noting that an
entryPoint value of "Universal API" corresponds with the Jamf Pro API, a value of "JSS (API)" corresponds with the Classic API and "JSS" refers simply to the Jamf Pro web application user interface. Furthermore, the Jamf Pro user interface leverages the Jamf Pro API for many features, including login workflows, therefore it should be expected to find entries for both
entryPoint when authenticating to the user interface.
Beginning in Jamf Pro version 10.35.0, individual requests to the Classic API using bearer token authentication no longer log entries to the access log. Requests to obtain the bearer token continue to be logged and identified by the "Universal API" entry point, regardless of which API the token is subsequently used with.
The Change Management log tracks Create, Read, Update and Delete operations made to the Jamf Pro environment. The data output to this log has a high degree of variability, based on the object type that's being interacted with. Below you can find a snippet that has been modified to demonstrate the standard data format of a log entry.
[username (ID: #)] [OPERATION] [Resource] [Date]
Below is a snippet pulled directly from the Change Management log which further demonstrates the data format using actual values. Many log entries include additional information related to the resource that was accessed, which is further demonstrated below.
[Jamf Pro System (ID: -1)] [READ] [Device Communication Settings] [2021-08-27T08:03:33.332-0500] Computers - when the built-in CA is renewed true Computers - when the MDM profile expires .......... true Computers - days before the MDM profile expires 180 Devices - when the built-in CA is renewed ......... true Devices - when the MDM profile expires true Devices - days before the MDM profile expires ..... 180 [jssadmin (ID: 1)] [DELETE] [Computer] [2021-09-09T08:48:43.115-0500] ID 113 Name ......... Lauras MacBook Pro [jssadmin (ID: 1)] [UPDATE] [User] [2021-09-28T14:23:31.983-0500] UNKNOWN [jssadmin (ID: 1)] [READ] [Computer] [2021-09-28T14:26:37.524-0500] ID 3 Name ......... Alishia's MacBook Air
- Changes initiated by Jamf Pro are identified by the "Jamf Pro System" user with an ID value of -1.
- Additional information about the resource may be included below each log entry.
- The format of additional information for a resource is unique to each resource type.
- The format and type of additional information associated with a specific resource type is subject to change without notice.
Logs are synchronized every 5 minutes or when the log size reaches 5MB, whichever occurs first. Most environments do not experience enough traffic to require syncs to occur more than every 5 minutes.
Log files are sent to the specified endpoint in an uncompressed GZIP format.
Updated over 1 year ago